POLICY ITICKET LLC on the processing and protection of personal data (CONFIDENTIALITY POLICY)

1. General
1.1. This Policy on the processing and protection of personal data of individuals (hereinafter referred to as "Personal Data Owners") (hereinafter referred to as "Policy") is developed and implemented by AITIKET Ltd. (hereinafter referred to as "Organization") in accordance with Article 24 of the Constitution of the Russian Federation, Federal Law No. 152-FZ "On Personal Data" dated 27.07.2006 (as amended), Federal Law No. 38-FZ "On Advertising" dated 13.03.2006 (as amended) and other regulatory acts in the field of protection of personal data enacted in the Russian Federation.

1.2. This Policy applies to all personal data that may be collected from Personal Data Owners by the Organization in the course of its activities, including from employees and customers of the Organization, through the website www.iticket.ru (hereinafter referred to as the "WebSite"), by the telephone number of the Organization.

1.3. The purpose of the Policy is to provide the persons submitting personal data with relevant information in order to assess the scope of the personal data to be processed by the Organization and the purposes of such processing, and the array of relevant security measures in place.

1.4. The Policy governs the activities of the Organization with regard to the processing of the personal data, a procedure and conditions for the processing of the personal data of individuals who have made their personal data available for the processing by the Organization with and without the use of automation, establishes the procedures aiming to prevent infringements of the law of the Russian Federation, addressing the consequences of such infringements arising from the processing of the personal data.

1.5. The Policy ensures the protection of the rights and freedoms of the Owners with regard to the processing of their personal data with or without the use of automation, and it determines the liability of the persons with the access to the personal data for the failure to observe the procedure of processing and protection of the personal data.

1.6. Clients, by using the services of the Organization, having provided the Organization with their personal data, including through third parties, herewith provide their consent to the processing of the personal data in accordance with this Policy. The consent to the processing of personal data may be withdrawn by the Owner of the personal data. In case of withdrawal of the consent to the processing of the personal data by the Subjects of personal data, the Organization is entitled to continue the processing of the personal data without the consent of the Owners of the personal data if there are grounds established by the governing law.

1.7. This Policy may be altered in the event of any amendments to the governing Russian law.

1.8. The Organization shall post an up-to-date version of the Policy on the Organization's website: www.iticket.ru

2. The notion and scope of the personal data
2.1. For the purposes of this Policy, personal data means any information relating directly or indirectly to a specific or identifiable individual (personal data owner).

2.2. The Operator shall process the following personal data provided when registering on the website www.iticket.ru, including when the Owner makes Orders:
- last name, first name;
- telephone number;
- Email;
- the data concerning the services rendered and provided to the Owner, including the history of the Owner's orders;
- the history of queries made by the personal data Owner, including the documents filed by the Owner.

2.3. When using the WebSite services, the Organization also processes other impersonal data, which is automatically transferred in the process of using the WebSite through the software installed on the computer of the individual (Personal Data Subject):
- the data concerning the browser you are using (or the other program you are using to access the site);
- IP address;
- cookies, web beacons and other similar technologies.

3. The grounds and purposes for the processing of the personal data
3.1. The Organisation processes the personal data in order to carry out its activities, to pursue its legitimate interests and needs.

3.2. The Organization shall process the personal data of the Owners of the personal data by maintaining appropriate databases enables by automation, mechanical and manual devices in order to:

3.2.1. fulfill the contract to which the Personal Data Owner is a party, i.e. for the purpose of processing orders, requests or other actions of the Personal Data Owner related to the purchase of tickets for cultural and entertainment events on the website www.iticket.ru, e.g. to notify on the cancellation, replacement or adjournment of events, the procedure for the refund of money / cash for tickets to the events, emailing other updates on the events for which the Personal Data Owner has purchased (booked) tickets, etc.;

3.2.2. to observe the applicable law of the Russian Federation, including, but not limited to, the Federal Act of 22.05.2003 N 54-FZ (ed. of 03.07.2016) "On the use of cash registers for cash transactions and (or) transactions using electronic payment systems" in case the Owner (Client) has provided his/her telephone number or e-mail address prior to the time of such payment to enable emailing of a cash voucher or a registrable electronic form to the Owner (Client) to his/her notified subscription number or an email (if it is feasible to convey the information to the Owner (Client) electronically to the specified email account);

3.2.3. For other purposes in case relevant activities of the Organization do not contradict the applicable law, the business of the Organization and the Personal Data Owner has endorsed the said data processing;

3.2.4. The data specified in paragraph 2.2. of this Policy shall be processed for the purposes of the Website analytics, tracking and understanding of the specifics of the WebSite usage by the visitors, better WebSite performance, the WebSite troubleshooting, the development of new products, expansion of the array of services rendered, measuring the visibility of the events and efficiency of advertising campaigns; ensuring security and fraud prevention, provision of substantial customer support.

4. Rules and procedure for the processing of the personal data
4.1. The Organization shall use computerized automated technology of processing of the personal data, as wall as manual paper-based workflow to render its services and meet its in-house needs.
The Organization shall not make any decisions that may hold the Personal Data Owner liable or otherwise affect his/her rights and legitimate interests exclusively based on the automated processing of the personal data.
The Organization shall store the personal information of the Owners of the personal data pursuant to its governing documents.

4.2. In order to achieve the objectives of this Policy, only those employees of the Organization who are qualified for such function in accordance with their official (work) duties are allowed to process the personal data. The access of other employees may only be allowed in cases provided for by applicable law. The Organization requires its employees to maintain the confidentiality and security of the personal data under the processing.

4.3. The Organization shall begin the processing of the Owner's personal data upon the receipt of the personal data pursuant to subclause 5 of clause 1 of article 6 of the Federal Act "On personal data", and in cases unrelated to the execution of the said contract - upon the consent of the Owner of the personal data for their processing.

4.4. The consent to the processing of the personal data can be given by the Owner of the personal data in any form, allowing to confirm the fact of reception of the consent, unless otherwise set forth in the federal law: in writing, orally or in any other form provided for by the applicable law, including through conclusive actions by the Owner of the personal data. A failure to give the consent of the personal data Owner to the processing of his/her personal data shall mean that the data shall be processed only as long as is necessary for the performance of the contract, to which the Owner of the personal data is a party (i.e. in order to purchase a ticket to a cultural /entertainment event and fulfilling the right to visit a cultural/entertainment event).

4.5. The personal data of the Owners of the personal data are obtained by the Organization:
• by means of personal transfer of personal data by the Owner when entering information into online registration forms on the WebSite at the address: www.iticket.ru;
• by reporting them orally over the phone during the ticketing process;
• through the WebSite, pursuant to paragraph 2.3. of this Policy;
• in other ways that are not in breach of the law of the Russian Federation and relevant international regulations concerning the personal data protection.

4.6. The Organization shall process the personal data by performing any action (operation) or a sum total of actions (operations) with the personal data, including as follows: collection, recording, systematization, accumulation, storage, adjustment (updating, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, removal, and destruction.

4.7. The personal data of the Owner shall remain confidential, except in cases when the Owner voluntarily provides information about himself/herself for public access to an unlimited circle of persons (personal data made available to the public by the Owner of the personal data). In this case, the Owner of the personal data agrees that a certain part of his/her personal data becomes publicly available and does not require a consent to the processing of such data in accordance with subclause 10, clause 1 of article 6 of the Federal Act "On personal data".

4.8. The Organisation may transfer the personal data to any third parties in the following cases:
- The Owner of the personal data has clearly expressed his/her consent to such actions;
- the transfer is envisaged under Russian or other applicable law via a procedure established by law;
- the transfer occurs as part of the sale or other transfer of the business (in whole or in part). The acquirer shall incur any and all obligations under this Policy as far as the received data are concerned.

4.9. Pursuant to this Policy, the Operator may process the personal data independently and engage any third parties to be employed by the Operator to do the processing thereof for the purposes specified in this Policy. The Owner agrees that the Operator is entitled to transfer the personal data to any third parties, in particular, LLC "SMS-Center". (OGRN 1117746756489), PJSC "SBERBANK". (OGRN 1027700132195), Yandex LLC (OGRN 1027700229193), Google LLC (1057749528100), hosting providers, telecommunications companies and other third parties (when transferring personal data in cases stipulated by law) solely for the purposes specified in paragraph 3.2 of this Policy.

4.10. The timeframe for the processing of the personal data is defined based on the purposes of the processing in the information systems of the Organization, within the term of validity of the contract, the agreement with the Owner of the personal data, with the List of standard managerial documents resulting from the activities of public authorities, local governments and organisations indicating the period of storage (Order No. 558 dated 25/08/2010), limitation period, and also other provisions of law and governing documents of the Organisation.

5. Implementation of the personal data protection procedure
5.1. The processing of personal data by the Organization is inextricably linked to the protection of the confidentiality of the information received by the Organization.

5.2. It is the requirement of the Organisation that any other persons becoming familiarized with the personal data abstain from disclosing and disseminating the personal data to any third parties without the express consent of the Owner of the personal data, unless otherwise provided for in the federal law.

5.3. All employees of the Organization are obliged to ensure confidentiality of the personal data, as well as other information established by the Organization, unless otherwise specified by the applicable law of the Russian Federation.

5.4. In order to ensure the safety of the processed personal data, the Organization shall take relevant and adequate legal, organizational and technical measures for the protection of the personal data from wrongful or casual access to them, destructions, changes, blocking, copying, granting, distribution of the personal data, and also from other wrongful actions in their regard. The Organization shall ensure that all measures taken for organizational and technical protection of personal data are conducted legally, including the observance of relevant regulations of the Russian Federation law on personal data processing.

5.5. When processing personal data in the Organization's information systems, the following prerequisites shall be ensured:
- taking measures aimed at preventing unauthorized access to personal data and/or transfer of such data to any unauthorized persons not entitled to have access to such information;
- timely detection of unauthorized access to the personal data;
- prevention of any interference to technical means of automated processing of the personal data resulting in their malfunction;
- the possibility of immediate recovery of the personal data modified and destroyed as a result of unauthorized access;
- continuous monitoring of the level of security of the personal data.

5.6. In order to ensure that the level of protection of the personal data complies with the requirements of the Federal Law dated 27.07.2006 No. 152-FZ "On personal data" and the Federal Law dated 27/07/2006 No. 149-FZ "On information, information technology and information protection", the Organization shall not disclose any information on specific means and measures used to ensure the information security of the personal data.

5.7. The Organization shall not disclose any information received from the Owner of the personal data. Providing by the Operator of information to agents and third parties acting based on the contract with the Operator for performance of obligations to the Owner of the personal data, as well as other cases provided by this Policy shall not constitute a breach hereof. It shall not be deemed a breach of any obligation to disclose information in accordance with reasonable and applicable legal requirements.

6. Consent to receive ads via telecommunication networks
6.1. As a user of www.iticket.ru, the Owner of the personal data may receive periodic mailings (information, holiday, etc.) to the registered e-mail address, as well as automatic order confirmation and service notifications.
The Organization herewith guarantees that the Owner's email address remains immune to any spamming activities.

6.2. By giving the consent specified in paragraph 5.1. of this Policy, the Owner of the personal data warrants acting in a free will fashion, under no compulsion and out of his/her own interest, and that the said personal data are true

7. Conclusions
7.1. This Policy has been endorsed by the Chief Executive Officer of LLC ITICKET and come into force from the date of its signing, and as far as the Owners of the personal data are concerned - from the date of publication of the Policy on the website www.iticket.ru.

7.2. Unilaterally, without prior notice to the Owners of the personal data, this Policy may be amended and /or modified upon the approval of the Chief Executive Officer of ITICKET LLC, being subsequently published on the website www.iticket.ru and become binding to the Owners of the personal data from the date of publication of such amendments and/or modifications. The Owner of the personal data shall be liable for the review of this Agreement for any alterations hereof.

7.3. The version of the Policy published (posted) in the open access online at the address: www.iticket.ru shall be binding of the Owners of the personal data throughout the entire period of such publication (placement).